input {
  beats {
    port => "5044"
    ssl => false
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
    ssl_key => "/usr/share/logstash/filebeat.key"
    tags => [ "beat" ]
  }
}
filter {
  if [type] == "ids" or [type] =~ "bro" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "sensor_name" => "%{[beat][name]}" }
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
      remove_field => [ "beat", "prospector", "input", "offset" ]
    }
  }
  if [type] =~ "ossec" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_field => { "syslog-host_from" => "%{[beat][name]}" }
      remove_field => [ "beat", "prospector", "input", "offset" ]
    }
   }
    if [type] == "osquery" {
    mutate {
      rename => { "host" => "beat_host" }
      remove_tag => ["beat"]
      add_tag => ["osquery"]
        	}
   json {
    source => "message"
    target => "osquery"
        }
  }
}